Does the outgoing balance example work?

Max Laier max at love2party.net
Thu Dec 23 03:28:46 PST 2004 

On Wednesday 22 December 2004 20:20, Paul J. Pathiakis wrote:
> BTW,  I should mention that this is load balancing.  According to my logs,
> traffic is going out both interfaces....  it's just not coming back.

Can you provide me (off-list if you prefer) with some tcpdump logs from both 
outgoing interfaces? The output of $pfctl -vvsr and $pfctl -vvsn would also 
be interesting.

> P.
>
> On Wednesday 22 December 2004 14:12, Paul J. Pathiakis wrote:
> > Hi,
> >
> > 	I'm trying to get pf to load balance outgoing on two outbound lines
> > (cable and dsl). My pf.conf is based on the example from the pf faq at
> > www.openbsd.org.  I've changed parameters to match my machine and I still
> > can't get it to load balance outgoing connections on my machine.  As soon
> > as I enable the route-to rules for balancing, my web browser stops
> > working and quite a few other utilities stop working.  It connects to the
> > site but the response never comes back.  Is it possible that nat isn't
> > working correctly?  Is it possible that the return addresses aren't
> > getting correctly set? How do I troubleshoot this?  The example (below)
> > seems  pretty straight forward. I've enabled my pflog (made sure every
> > filter is logging).
> > I can check states with pfctl commands.  I just can't see what's wrong. 
> > Is there anything that I'm missing (Please note that I changed the
> > "default block all" to pass in all and pass out all.
> >
> > thanks!
> >
> > Paul P.
> >
> > lan_net = "192.168.0.0/24"
> > int_if  = "dc0"
> > ext_if1 = "fxp0"
> > ext_if2 = "fxp1"
> > ext_gw1 = "68.146.224.1"
> > ext_gw2 = "142.59.76.1"
> >
> > #  nat outgoing connections on each internet interface
> > nat on $ext_if1 from $lan_net to any -> ($ext_if1)
> > nat on $ext_if2 from $lan_net to any -> ($ext_if2)
> >
> > #  default deny
> > #block in  from any to any
> > #block out from any to any
> > pass in from any to any
> > pass out from any to any
> >
> > #  pass all outgoing packets on internal interface
> > pass out on $int_if from any to $lan_net
> >
> > #  pass in quick any packets destined for the gateway itself
> > pass in quick on $int_if from $lan_net to $int_if
> >
> > #  load balance outgoing tcp traffic from internal network.
> > pass in on $int_if route-to \
> >     { ($ext_if1 $ext_gw1), ($ext_if2 $ext_gw2) } round-robin \
> >     proto tcp from $lan_net to any flags S/SA modulate state
> > #  load balance outgoing udp and icmp traffic from internal network
> > pass in on $int_if route-to \
> >     { ($ext_if1 $ext_gw1), ($ext_if2 $ext_gw2) } round-robin \
> >     proto { udp, icmp } from $lan_net to any keep state
> >
> > #  general "pass out" rules for external interfaces
> > pass out on $ext_if1 proto tcp from any to any flags S/SA modulate state
> > pass out on $ext_if1 proto { udp, icmp } from any to any keep state
> > pass out on $ext_if2 proto tcp from any to any flags S/SA modulate state
> > pass out on $ext_if2 proto { udp, icmp } from any to any keep state
> >
> > #  route packets from any IPs on $ext_if1 to $ext_gw1 and the same for
> > #  $ext_if2 and $ext_gw2
> > pass out on $ext_if1 route-to ($ext_if2 $ext_gw2) from $ext_if2 to any
> > pass out on $ext_if2 route-to ($ext_if1 $ext_gw1) from $ext_if1 to any
> >
> > _______________________________________________
> > freebsd-pf at freebsd.org mailing list
> > http://lists.freebsd.org/mailman/listinfo/freebsd-pf
> > To unsubscribe, send any mail to "freebsd-pf-unsubscribe at freebsd.org"
>
> _______________________________________________
> freebsd-pf at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-pf
> To unsubscribe, send any mail to "freebsd-pf-unsubscribe at freebsd.org"

-- 
/"\  Best regards,                      | mlaier at freebsd.org
\ /  Max Laier                          | ICQ #67774661
 X   http://pf4freebsd.love2party.net/  | mlaier at EFnet
/ \  ASCII Ribbon Campaign              | Against HTML Mail and News
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-pf/attachments/20041223/24285ff9/attachment.bin

More information about the freebsd-pf mailing list